BW: query execution: Authorization check Logic

Summary

Symptom

The tabular block of the detail check in the authorization check of a query is hard to understand.

Other terms

Rsecadmin, rsecprot, log

Reason and prerequisites

Note 1234567 provides a description of the whole rsecadmin log.

Solution

The rsecadmin log informs you that:

In the next section, all other characteristics are checked in detail:

This means that all optimizations and advance simplifications are completed and the query selection has been split into subselections (sub numbers), if necessary.

Now the main part of the authorization check runs for the individual sub numbers. The process flow is displayed in a table.

The table has a blue header line that begins on the top left:"Following set is checked".

To display sets, the relevant characteristics are always listed in the left part of a column. In the right part, a language similar to SQL is used to describe the sets.

To understand the check, youMustBe familiar with the following logic:

The Background: During Each authorization check, the query gives the selected set to the authorization check. the system then checks whether this set is fully covered by the authorized set (= "authorized") or not (= "not authorized ").

A user may have several individual authorizations. if this is the case, the check is carried out step by step iteratively: The selected set is compared with the first authorization (first authorization set ). if this authorization set already covers the selected set, the check is complete because the selected set is already successfully authorized. if the authorization set doesNotCover the selected set completely, the remaining set that is not yet authorized is determined and displayed: this is the part of the selected set that was not covered by the first authorization (= authorized ).

The same check process begins with this remaining set (remaining selection ). however, now the second authorization is used. the following applies: If the second authorization set covers the remaining selection, the check is complete because the whole selected set is now successfully authorized.

If this is not the case, the system determines the remaining set again. This is now part of the selected set that was not covered by the first or the second authorization.

This process is now repeated until the whole selected set is covered by the authorized sets. Then the check is successful.

Alternatively, this process is repeated until all authorizations of the user have been checked but there is still some of the selection set remaining. this remaining set is then not authorized: the check for this sub number returns "no authorization ".

Important:

Bear in mind that the log may displayUnsuccessfulPartial check during the first iteration steps. however, the selected set may be authorized later on. the result after the last step is the relevant one. this is issued in the text line under the table block.

If a subselection (sub number) is authorized, the system displays the following line in Green:

"Subselection (subnr) is authorized ".

However, if a subselection is not authorized, the system displays the following lines:

"All authorizations tested"

Message eye 007: "You do not have sufficient authorization"

(In yellow ).

"No sufficient authorization for this subselection (subnr )"

(In yellow ).

Then the system may display the text block

"Following chanmids are affected :"

123 ()

345 ()

The specification of the technical characteristic names (after chanmid) indicates the characteristics for which the check failed. note that each selected characteristic may be authorized on its own. however, what is relevant is the whole selected set, that is,CombinationOf all selected characteristic values.

Consider the following points in particle:

1. The first field "following set is checked", at the top left of the blue table is usuallyThe most important: Here, you have the unchanged selected set as it is requested by the query. If you think there may be a problem with the authorization check, you showould firstAlwaysCheck whether this set is what you expect CT:

Does the query request the correct data? Or does it try to read more data than expected? (This may lead to "no authorization ").

If this is the case, it does not mean that the error lies in the authorization check, rather that you must check the query definition: to narrow down the error, first replace all variable selections with fixed selections. if there are "constant selections" in the query, deactivate them or check them. if there are "cell definitions", deactivate them or check them. (Note that a customer message can be processed more quickly if the component is correct .)

2. If long lists of single values are selected or authorized, for example, the table may be very large. However, the main structure is always the same.

3. due to the internal flow of the authorization check, a block in the table may be displayed twice one after the other. however, due to the check logic mentioned, this is not a problem and does not change the result of the check.

4. "Not" conditions may appear in the remaining set, in particle. This is not an error, rather the logical sequence of creating a remaining set: Selected set minus authorized set.

After one subselection is checked, the check is carried out for the next one, this time with the heading:

"Subselection (Technical subnr) 2"

(Highlighted in light orange)

The processing of all subselections is completed with the entry:

"Authorization check complete"

(In italics and highlighted in orange)

Source Document